d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Related
  • Common wordlists
  • gobuster
  • File extensions
  • wfuzz
  • fuff
  • nikto
  • dotdotpwn
  • dirb
  • DirBuster
  • Web application firewall (WAF) detection
  • wappalyzer (firefox add-on)
Edit on GitHub
  1. Enumeration

Webserver scanning

PreviousPort scanningNextExploit detection

Last updated 2 years ago

Related

Common wordlists

General

  • /usr/share/seclists/Discovery/Web-Content/common.txt

  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

CGI

  • /usr/share/seclists/Discovery/Web-Content/CGIs.txt

SharePoint

  • /usr/share/wordlists/SecLists/Discovery/Web_Content/sharepoint.txt

gobuster

- Directory/File, DNS and VHost busting tool written in Go

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -o gobuster -t 50 -u <host>

File extensions

IIS

-x 'asp, aspx, html, txt'

Apache / nginx

-x 'php, cgi, jsp, html, txt'

wfuzz

wfuzz -w <wordlist-file> —-hc 404 <host>/FUZZ/FUZ2Z
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --sh BBB <host>/file.php?param=FUZZ

fuff

Enumerate usernames

ffuf -w <wordlist-file> -X POST -d "email=FUZZ&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u <url> -mr "email already exists"

Brute force passwords

ffuf -w emails.txt:W1,<password-file>:W2 -X POST -d "email=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u <url> -fc 200

nikto

nikto -h <ip> -Format txt -o .

dotdotpwn

dotdotpwn -m http -h <ip> -f <file>
dotdotpwn -m http-url -u http://<ip>/nav.php?page=TRAVERSAL -o unix -s -d 4 -k "root:" -f /etc/passwd

dirb

dirb <host> -o dirb

DirBuster

dirbuster

Web application firewall (WAF) detection

You can use wafw00f to detect web application firewalls (WAFs).

wafw00f <url>

wappalyzer (firefox add-on)

- Web application fuzzer

Fast web fuzzer written in Go.

- Web server scanner

- The Directory Traversal Fuzzer

is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.

is a multi threaded java application designed to brute force directories and files names on web/application servers.

See

TCP 80, 443: HTTP(S)
SecLists by Daniel Miessler
GitHub - OJ/gobuster
GitHub - xmendez/wfuzz
fuff
GitHub - sullo/nikto
GitHub - wireghoul/dotdotpwn
DIRB
DirBuster
Firefox extensions